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(54) Abstract Title 

Authenticating postage marks 

(57) Apparatus for determining the validity of a postage mark includes 

detector means 152 operable to detect a marker in a postage mark and to generate data representative 
of characteristics of the marker, and 

logic means 156 operable to compare the generated characteristic data with stored characteristic data 
for the marker; 

wherein the logic means determines the postage mark to be valid if the generated characteristic data 
matches the stored characteristic data, or determines the postage mark to be invalid if the generated 
characteristic data does not match the stored characteristic data. 
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At least one drawing originally filed was informal and the print reproduced here is taken from a later filed formal copy. 
The print reflects an assignment of the application under the provisions of Section 30 of the Patents Act 1977. 
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1 

Improvements Relating to Postal Systems 

This invention relates, in general terms, to improvements in Postal 
Systems, and in particular to the use of Digital Postage Marks (DPMs) in such 
systems. 

Before embarking upon this description, it is worth noting at this 
juncture that Digital Postage Marks (or postage paid indicia as they will also 
be referred to) should not be confused with conventional postmarks which are 
used to indicate that postage applied to postal items has been cancelled. 
Digital Postage Marks are indicia applied to postal items which indicate the 
postage paid (amongst other things), whereas conventional postmarks are 
applied after postage has been purchased to cancel that postage. 

Figure 1 is a schematic illustration of the various components of a 
known postal system, such as that which has been operated successfully for 
many years by the Royal Mail on behalf of the United Kingdom postal 
authorities. 

As shown in Figure 1, collection and delivery of postal items (such as 
letters, postcards, parcels etc.) in the Postal System 1 is split into three general 
stages, a collection stage 3, a sorting stage 5, and a delivery stage 7. 

At the collection stage 3 postal items are collected from a variety of 
different sources, such as from post boxes 9 dotted around the country, from 
post offices 1 1 where the postal items have been handed by the public to the 
postal authorities, and direct from businesses 13. 

The collected postal items are gathered together at local nodes of the 



postal system and are then sent to one or more district collection hubs 15 
where postal items from a number of local nodes are gathered together. 

In the second stage 7 of the postal system, all the items sent to the 
district collection hubs 15 are sent to a so-called "outward" mail centre 17 for 
sorting. The outward mail centre 17 is so named because it deals with postal 
items that are on their way out of the postal system to the addressee of the 
item. 

At the outward mail centre 17, incoming postal items from the 
collection hubs are sorted into those items which are destined for delivery in 
designated districts surrounding the outward mail centre (local items), and 
those which are destined for delivery to other districts which are further afield 
(remote items). 

Local items are finely sorted (for example into items for particular 
towns and/or streets) and are then sent on from the outward mail centre to 
appropriate local delivery offices 19 for delivery to the postal item addressees 
in the third stage 7 of the postal system 1. 

Remote items are roughly sorted (for example into items for particular 
regions of the country) and are sent onto the appropriate inward mail centre 
21 for each region of the country. At the inward mail centre (so named 
because it deals with postal items that are coming into the postal system prior 
to delivery) the items received from the outward mail centre 17, and from 
elsewhere, are finely sorted into, for example, items for particular towns 
and/or streets. 



The third and final stage of the postal system 1 is the delivery stage 7 
where postal items sorted by the inward mail centre 21 are transferred to local 
delivery offices 23 for delivery to the postal item addressees. At this stage of 
the process the local items sorted by the outward mail centre 17 are also 
delivered by the local delivery offices to the item addressees. 

Figure 2 is a schematic illustration of the various processes which 
occur when postal items are sorted at one of the aforementioned mail centres 
for example the outward mail centre 1 7. 

As shown in Figure 2, postal items of a variety of different types 
arrive at the mail centre from the collection hub 1 5. The arriving postal items 
25 can be roughly split into those items 27 (meter pouches) which have been 
presorted into class pouches (red pouches for first class mail, green pouches 
for second class mail) by customers, those items 29 which have been collected 
from post boxes 9 and post offices 11, those items 31 which have been 
received from customers with Royal Mail accounts, and those priority service 
items 33 which have an additional payment for one of the many different 
types of priority service. 

Typically, presorted items in meter pouches 27 are those which have 
been collected from businesses in the collection stage 3 of the postal system 
shown in Figure 1. Account items are typically from businesses which send 
out a large amount of correspondence, for example direct mailing companies. 
Account items are often known as PPI mail (or Printed Postage Impression 
mail) due to the fact that the envelopes used are usually preprinted with the 



appropriate postage. Collection items 29 will typically not have been sorted 
for class of service (e.g. 1 st class or 2 nd class), or for size of mail. 

In the next stage of the sorting process, postal items in meter pouches 
27 are transferred to a meter table 35 where the postal items are manually 
removed from the pouches and either transferred to an Integrated Mail 
Processor 37 (known as an IMP) or direct to a primary sortation facility 39 for 
further processing. 

Collection postal items 29 once received by the mail centre 17 are 
transferred to the IMP 37 for further processing. Account postal items 31 are 
passed first to a revenue protection facility 41 before also being passed to the 
IMP 37. 

In the revenue protection facility 41, bags of postal items received 
from account customers are weighed, and the read weight is checked against a 
bag weight printed by the customer on a ticket attached to the bag. The 
charge billed to the customer's account can be adjusted in the event of any 
discrepancy between the weight declared by the customer and the weight read 
by the revenue protection facility. 

Priority service postal items 33 are kept separate from the remainder 
of the postal items and are passed to a security locker 43 where they are sorted 
prior to being dispatched at a security despatch station 45. 

As mentioned above, all of the collection items 29, some or all of the 
meter pouch items 29, and the account items 31 are passed to the IMP 37 for 
sorting. Any mail unsuitable for sorting via the IMP 37 is rejected and sent to 



the primary sortation facility 39. 

The operation of the IMP will later be described, but at this juncture it 
suffices to mention that the IMP operates (for those items which can be 
automatically sorted): 

(i) to detect the class of the postal items (i.e. whether first or second 
class); 

(ii) to cancel postage applied to the postal items; 

(iii) to apply a machine readable code which identifies both the class 
and the destination to the postal items, and 

(iv) to sort me postal items by destination. 

Any items which cannot be processed by the IMP 37 (or meter pouch 
items 27 not routed via the IMP), for example because they have an unusual 
shape or because the address cannot be read, are passed to the primary 
sortation facility 39 where they are fine sorted by hand into mail for local 
regions and rough sorted into mail for remote regions. The items for the 
remote regions are then passed to a secondary sortation facility 47 where they 
are more finely sorted. 

Once the postal items have been sorted; either by the IMP 37 or by the 
primary and secondary sortation facilities 39, 47; they are passed to a 
despatch facility 49 where they are despatched to local delivery facilities or to 
an inward mail centre 21 such as that described above with reference to 
Figure 1. 

Figure 3 provides an illustrative schematic view of the various 
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components of the IMP 37. 

In a first step 51, the IMP 37 is manually loaded with postal items with 
obviously outsize (or otherwise objectionable) postal items being rejected by 
the individuals loading the machine. 
5 The postal items entering the IMP pass up a conveyor belt to a culler 

53 where the postal items are spun in a rotating drum. The sides of the drum 
are slotted so that postal items which are suitable for automatic processing fall 
through the slots. Postal items which are too large for automatic processing 
are rejected (in step 57), and move through the drum and fall out the end. 

10 These outsize, or otherwise unsuitable, items are collected and taken to the 
primary sortation facility 39 for hand sorting. Typically, the IMP will reject 
any postal items which have a thickness that is greater than 6mm or so. 

Postal items falling through the slots in the drum in the culler 53 are 
passed to a facing an classing unit 55 where the items are appropriately 

15 orientated, and the postal class of the items is determined. Again, any items 
which cannot be classed, or which cannot be faced are rejected (in step 57) 
and passed to the primary sortation facility 39 for hand sorting. 

Correctly faced and classed postal items are then passed to a 
cancelling unit 59 which cancels postage applied to the items by overprinting 

20 the postage with a post mark. Once the postage has been cancelled the items 
are passed to an OCR device 61 where an image is taken of the address block 
on the item and an optical character recognition process is employed to 
attempt to determine the postal code of the address block. 



If the postal code can be determined by the OCR device 61, then a 
code is applied to the front of the postal item by a coding device in step 63 
and the item is sorted in accordance with the applied code in step 65. 

If the postal code cannot be read for any of these items, the image of 
the address block is sent to a remote post code determining suite and the items 
in question are passed to a delay line 63 which sidelines the postal item in 
question for a predetermined period of time. Whilst a given item is in the 
delay line, an operator in the post code determining suite is presented with the 
image of the address block and that operator is provided with a short period of 
time to determine and input the correct post code from the image presented. 
The correct inputted post code, once inputted, is assigned to the associated 
postal item, and the item is then coded (in step 63) and sorted (in step 65). 

If the operator cannot identify the correct post code from the image 
presented, then the hem concerned is rejected (in step 57) and passed to the 
primary sortation facility 39 for hand sorting. 

As shown in Figure 2, items which have been correctly coded and 
sorted by the IMP 37 are passed directly to the despatch facility 49 where they 
are despatched to local delivery facilities or to an inward mail centre 21 such 
as that described above with reference to Figure 1 . 

Figure 4a is a schematic illustration of a coded indicia 67 of the type 
typically applied by the coding unit 63 of the IMP 37 shown in Figure 3. 

The coded indicia shown in Figure 4 is a so-called "four state bar 
code", and is sometimes referred to as the Royal Mail 4-State Customer Code 
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(RM4SCC). The RM4SCC was specially developed by the Royal Mail for 
automated mail sortation processes, and is used to print the postcode and 
delivery point suffix (DPS) which identifies both the destination point of the 
postal item and the identity of the post office from which delivery of the item 
will be made. Four State Barcodes are also used, amongst others, by the 
Dutch and Canadian postal authorities. 

The RM4SCC is based on 36 barcodes which are capable of 
representing alphanumeric characters 0 to 9 and A to Z, and start and stop 
characters and ")" respectively. As shown in Figure 4a, in the barcode a 
small black bar extends upwards, downwards or in both directions, and any 
one alphanumeric symbol is encoded by four bars - two of which have an 
upward extension and two of which have a downward extension. 

Figure 4b illustrates in graphical form the bar combinations and 
corresponding alphanumeric symbols. In Figure 4b, the symbols to the left of 
the slash represent upward bar extensions and the symbols to the right of the 
slash represent downward bar extensions. In each case, a plus symbol means 
that the bar is extended and a minus symbol means that the bar is not 
extended. 

As has been briefly mentioned above, postage is applied to postal 
items prior to those items being collected by the postal authorities. In the case 
of individual customers, that postage is most likely to be in the form of 
gummed stamps which the customer purchases, for example from a post 
office, and then affixes to the item or items to be posted. 



Corporate customers tend not to use individual gummed stamps since 
the process of dampening the gummed layer and affixing the stamp to 
individual items would be very labour intensive if a large number of items 
were to sent out in any one day. For these customers, the Post Office - 
amongst others - have developed so called Franking Machines which can be 
operated to print postage paid indicia onto self-adhesive labels which can then 
be affixed to the item or items to be posted. 

Franking machines (such as the FRAMA® Sensonic 2100 
manufactured by FRAMA AG of Lauperswil, Switzerland) are preloaded with 
postal credit purchased by a customer from the Post Office or one of their 
agents. To use the franking machine the customer must first weigh the postal 
item and select the class of postage required. The price for that postal weight 
and postal class is then displayed and the price must then be entered into the 
franking machine. The customer then inserts one of the aforementioned self 
adhesive labels into the machine and a postage paid indicia is printed onto the 
label to indicate that postage amounting to the price indicated has been paid. 
At the same time, the postal credit stored on the franking machine is debited 
by the amount of postage printed onto the label. Postal credit on the franking 
machine can be topped up, upon payment, as required by the customer, and is 
stored in a secure Postal Security Device (PSD) of the franking machine. The 
PSD functions to account for value credits to the franking machine and postal 
debits therefrom 

Typically, the meter pouch postal items 27 referred to above in Figure 
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1 will be franked postal items that each bear one of these postage paid self- 
adhesive labels. 

In addition to stamped mail, and franked mail, there are also other 
mechanisms for prepaying postage. For example, it is commonplace for 
companies to send out business reply envelopes which are pre-printed with 
postage paid indicia. It is also commonplace for companies who are sending 
large amounts of mail (the companies referred to in Figure 1 as account 
customers sending account mail 31) to use envelopes that have been pre- 
printed with postage paid indicia. 

This system, whilst it has functioned adequately for many years, does 
have a number of associated problems. 

As will be immediately apparent from Figure 2, it is only the account 
mail (from, for example, bulk customers of the post office) which is submitted 
to the revenue protection facility 41 . 

Franked mail (which will typically arrive within the meter pouches 27 
shown in Figure 1) is provided with a cursory check at the collection hub 15 
before it is transferred to the outward mail centre 1 7, but it is not reviewed by 
the revenue protection facility. 

It has recently come to the attention of the Post Office that the checks 
performed on this franked mail are not satisfactory as there are many ways of 
reproducing postage paid indicia on self-adhesive labels without an associated 
debit of the postage credit stored on the franking machine. 

Even if each and every item of franked mail were to be subjected to an 
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individual inspection, items of mail with fraudulent postage paid indicia 
would still get into the postal system as it is not always possible to spot a 
fraudulent indicia by visual inspection. 

Obviously, for security reasons it is not appropriate to explain in this 
document how these fraudulent indicia can be produced. It will suffice for the 
purposes of the present document to state that this is a serious problem, and 
that the Post Office are potentially losing a significant amount of income from 
fraudulent activity of this type. 

Another problem associated with the use of franking machines is that 
companies are typically required to hire the franking machine from the Post 
Office or their agents. The hire of these machines can be quite a significant 
expense especially for small companies who do not produce large quantities 
of mail, but nevertheless do not want to have to use gummed stamps. 

A further problem is that the franking machines are typically 
preloaded with a not inconsequential sum of money, which the company 
concerned cannot use once it has been used to charge the machine. 

To alleviate some of these problems it has been proposed to provide 
so-called PC franking, where postage paid indicia can be printed onto 
envelopes using one of a number of normal desktop printers connected to a 
standard computer, such as a PC for example. Pitney Bowes and a company 
called Stamps.Com both offer internet based PC Franking systems (see 
www.stamps.com and www.clickstamp.pb.com for details) where postage can 
be bought via the internet, and postage paid indicia can be printed onto 



12 

envelopes using commonly available desktop computers and printers. 

These internet systems would seem, at first sight, to resolve most of 
the problems experienced by small companies as they obviate the need for 
those companies to hire franking machines and precharge them with credit 

However, PC based systems only make the Post Office's revenue 
protection processes even more problematic as someone using such an 
internet system is provided at his desk with a computerised postage paid 
indicia which could, potentially, be manipulated and fraudulently used. 

It is an object of the present invention to avoid, or at least alleviate, the 
problems outlined above, and in particular to provide a digital postage mark 
(for use with franking machines, with PC franking or a printed postage 
impression, for example) that assists in the alleviation of these problems. 

In pursuance of this object, various aspects of the present invention are 
defined in the accompanying claims. Particular embodiments of those 
aspects, which are currently preferred, are set out in the accompanying 
dependent claims. 

It should be noted, however, whilst particular features have been 
selected as being of interest, the invention is not so limited and can comprise 
any combination or permutation of features set out herein whether or not that 
combination or permutation has explicitly been claimed. 

Embodiments of the invention will now be described, by way of 
example only, with reference to the accompanying drawings, in which: 

Figure 1 is a schematic illustration of the various components of a 
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known postal system; 

Figure 2 is a schematic illustration of the various processes which 
occur when postal items are sorted at one of the outward mail centres shown 
in Figure 1; 

Figure 3 is a schematic illustration of the various components of an 
IMP such as that shown in Figure 2. 

Figure 4 is a schematic illustration of a coded indicia of the type 
typically applied by the IMP shown in Figure 3; 

Figure 5 illustrates, in graphical form, the bar combinations and 
corresponding alphanumeric symbols of the coded indicia shown in Figure 4; 

Figure 6 is a schematic representation of a digital postage mark; 

Figure 7 is a schematic representation of another digital postage mark; 

Figure 8 is a schematic representation of another digital postage mark; 

Figure 9 is a schematic representation of another digital postage mark; 

Figure 10 is a schematic representation of a message encoded within a 
data matrix; 

Figure 1 1 illustrates use of a CBC mode in an encryption function; 
Figure 12 illustrates a process for generating a main franking key, and 
a check franking key; 

Figure 13 is a schematic representation of data elements used for 
constructing an integrity hash, a main MAC and a check MAC; 

Figure 14 is a schematic representation of a MAC generation process; 
Figure 15 is a schematic representation of an integrated mail 
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processor; and 

Figure 16 is a flow diagram illustrating steps of a revenue protection 
process. 

Before embarking upon a description of the preferred embodiments, it 

5 is useful to point out that the teachings of the present invention are equally 
applicable to digital postage marks printed onto envelopes using the 
aforementioned PC franking process, digital postage marks printed onto self- 
adhesive labels in franking machines, and so-called PPI mail. Accordingly, 
whilst the description provided below will tend to concentrate on postage 

10 marks printed in a PC franking process (such as those described above) it 
should be noted that the invention can be used in other systems, and the scope 
of the invention should not be read as being limited to PC franking by the 
description provided. 

Figure 6 is a schematic representation of a first digital postage mark 

15 70. As shown, the postage mark 70 is composed of a number of constituent 
parts, and it should be noted that not all of these constituent parts are essential 
to the present invention. 

The postage mark 70 comprises, in this arrangement, a so-called 
facing identification mark 72 (referred to in the art as a FIM) which serves 

20 two purposes. FIMs are commonly used in business reply mail to indicate to 
automated mail sorters (such as the IMP 37 described above), the class of 
postage that has been paid for. 

In the arrangement of Figure 6, the FIM comprises two broad marks 
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next to one another, and a further broad mark separated from the other two 
marks. This combination of marks indicates to the automated mail sorter that 
the postage paid is sufficient for 1 st Class mail. 

In addition to indicating the class of postage paid, the FIM also 
functions to provide automated mail sorters (such as the IMP 37 of Figure 1) 
with a means to easily locate the face of the envelope on which the address is 
likely to be written or printed. 

In addition to the FIM (which as will later be described need not be 
provided) the postage mark 70 comprises a data matrix 74 within which 
information is encoded. The information encoded, and the encoding 
mechanism will later be described. It is preferred that the data matrix is a 
particular type of two-dimensional matrix, but it will be appreciated that other 
types of data matrices may be employed if desired. For example, the data 
matrix could comprise a Maxicode 2D matrix, further details of which may be 
found at: www.maxicode.com . 

The postage mark 70 also includes various items of text which can be 
read by a human, or by an OCR device in an automated mail sorter. For 
convenience these text items will be referred to herein as "user readable text" 
76, and it should be noted that the "user" can be a human or a machine. 
The user readable text 76 comprises: 

(1) standard text 78 which does not change and is always printed (in this 
case the text "Royal Mail", and "UK Postage Paid"), 

(2) a class indication 79 (in this case "I s1 ") which varies in accordance 
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with the class of postage paid for (and which is indicated in this 
arrangement by the FIM), 

(3) a date mark 80 (in this case "1 6.08.00*0 which indicates the date on 
which the postage mark was printed, 

(4) an item number 82 (in this case "123456**) which indicates the item 
number assigned to the postage mark, 

(5) a value mark 84 (in this case "0027" - representing 27 pence postage 
paid) which indicates the amount of postage paid, and 

(6) an encrypted mark 86 (represented in the figure as 
"A1B2C3D4E5F6G7H8") which is readable by the user but which 
does not provide any useful information until it has been decrypted. 
As the encrypted mark is readable, but not intelligible by a user, it can 
be manually entered into revenue protection devices (to be described) 
in the event that the data matrix should be unreadable. 

In addition to these marks, the postage mark 70 may optionally 
include a space 88 for a user to print a slogan or company logo. 

As mentioned above, in the preferred arrangement information (some 
of which is encrypted) is encoded to generate the data matrix, and information 
is encrypted to generate the encrypted mark. In an alternative arrangement, 
which is not presently preferred, more of the information for generation of the 
data matrix may first be encrypted before being encoded to generate the data 
matrix. 

Figure 7 is a schematic representation of a second digital postage mark 
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90. The second mark whilst being similar to the first mark in a number of 
respects, differs principally in that the FIM 92 in this arrangement is different 
to that of the first arrangement. 

As shown in Figure 7, the FIM 92 comprises a pair of broad marks 
which are spaced from one another and this configuration indicates to 
automated mail sorters that the postage paid is sufficient for 2 nd Class mail. 

As the class of postage is different in the second mark, the value mark 
94 (in this case "0019" - representing 19 pence postage paid) is different to 
that of the first mark. 

In addition, as the class of postage has changed the data matrix 96 and 
also the encoded text 98 will be constructed (as will later be described) from 
different information (notwithstanding the fact that other items of information 
encoded in these marks will also change). The differences between the 
encoded text and data matrix of the first and second marks need not 
necessarily be apparent upon a visual inspection of the marks, as the marks 
may need to be decoded before the differences are apparent 

Figures 8 and 9 show third and fourth marks that differ from the above 
described first and second marks in that the postage mark does not include 
any FIMs. As is mentioned above, FIM do not necessarily need to be 
provided in order for mail to be sorted by an automated mail sorter. 

In all other respects the marks shown in Figures 8 and 9 are identical 
to those of Figures 6 and 7. 

At this juncture, and before embarking upon a description of particular 
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features of this invention, it is useful to describe the preferred form of data 
matrix in detail, and also the means by which information is encrypted within 
the DPM. 

The Data Matrix 

5 As mentioned above, this description relates to one particular example 

of a two dimensional data matrix, and it will be appreciated by persons skilled 
in the art that alternative data matrices may be employed without departing 
from the scope of the invention. Accordingly, the present description should 
not be read as limiting the scope of this invention. 
10 A number of standards currently exist for two dimensional data 

matrices, and reference may be made to the following standards in the 
forthcoming description where it is appropriate to do so: 

• UPU Standard S21-1: Data Presentation in ASN.l 

• UPU Standard S24-1: FACT-Based Representation of Postal 
1 5 Information and Identifiers 

• UPU Standard S25-1: Data constructs for the communication of 
information about postal items, batches and receptacles 

• UPU Standard S27-1: Framework for communication of information 
about postal items, batches, and receptacles 

20 • UPU Standard S28-1: Communication of postal information using 
two-dimensional symbols 

• ISO 04217: Specification for codes for the representation of 
Currencies & Funds 
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• ISO DIS 15394: Bar Code and Two Dimensional Symbols for 
Shipping, Transport and Receiving Labels 

• ISO 15418: Automatic Identification and Data Capture Techniques - 
International Specification - Data Application Identifiers 

• ISO 1 5434: Transfer Data Syntax for High Capacity ADC Media 

• International Symbology Specification - Data Matrix, published in 
1 1/96 with editorial amendments dated 12/96 (VI. 01), and an erratum 
dated 23/7/97. 

It has been mentioned above that the Data Matrix of the digital postage 
mark contains encoded information. This encoded information will generally 
be referred to as a "Message" containing a number of "Data Elements" each 
relating to a different item of information. 

A complete DPM message may be encoded in one two dimensional 
symbol, or optionally in more than one (for example, two) two dimensional 
symbols. 

Each DPM message comprises: a Message Header, a number of data 
elements, and a Message Trailer. 

The Message Header consists of two parts, a Compliance Indicator 
and a Format Trailer Character, In this system, the Compliance indicator 
comprises three characters [)>, and the Format Trailer Character comprises 
the 8 bit hexadecimal value IE (ASCII R s )]. 

The data elements mentioned above are encoded in a block 
comprising: 



20 



(1) a Format Header, comprising a Format Indicator (in this case value 06 
for FACT Data Constructs) followed by a Data Element Separator (in 
this case hexadecimal value ID (ASCII ° s )); 

(2) the data elements; and 

(3) a Format Trailer character (in this case R s ). 

The Message Trailer comprises the 8 bit hexadecimal value 04 
(ASCII E or). 

In summary, each message comprises: a Message Header, a Format 
Header, Data Elements, a Format Trailer and a Message Trailer. This 
message structure is shown diagrammatically in Figure 10. 

Additional customer defined message(s) may be agreed with a 
customer, and these messages will be included in one or more further data 
matrices (not shown). 

The Data Elements of the message described above may comprise 
information concerning one or more of the following: 



(1) 


a FACT Prefix; 


(2) 


a licensing Post Identifier; 


(3) 


an account reference; 


(4) 


a device reference; 


(5) 


a batch number or licence number; 


(6) 


an item number; 


(7) 


a data format identifier; 


(8) 


item data or a postcode (including delivery point information); 
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(9) a service code; 

(10) a postage value; 

(11) a date; 

(12) a key version; 

(13) one or more message authentication codes (MACs), and 

(14) a digital signature. 

The FACT prefix in this case is defined as ASCII J, and is provided 
to indicate that the data following the prefix is issued under an authority 
granted by the Universal Postal Union (UPU). 

The Licensing Post Identifier data element is a three ASCII character 
field identifying which postal admmistration has authorised a given customer 
to encode messages in accordance with the mechanism described herein. In 
the United Kingdom, the Licensing Post Identifier would be GBA for the 
Royal Mail. 

The Account Reference data element is a field of six alphanumeric 
ASCII characters. Alphanumeric characters are defined in the context of this 
document as being upper case alphabetic characters or numeric characters. 

The Account Reference, combined with the batch number/licence 
number and the data format identifier uniquely identifies the licensed entity 
from whom the mail has originated. 

The Device Reference data element is a field of four alphanumeric 
ASCII characters formed by a provider identifier (e.g. an identifier for the 
provider of the tranking machine) and a device model number (i.e. the model 
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number of the device by means of which the DPM was printed), each of two 
characters. 

The Batch Number/Licence number data element is defined as a field 
of six alphanumeric ASCII characters. Each postal item forms part of a batch 
of mail that is identified through a unique batch number. A batch is defined as 
either: all of the franked mail items associated with one Statement Of Mailing 
Submission (in this case the batch number will effectively be the SOMS 
number); or all of the mail items, whose postage was accounted for by a 
defined postal security device, franked between two consecutive occasions on 
which the device was re-credited. Postal Security Devices (PSDs) are secure 
hardware devices which perform a postal accounting function. PSDs can 
form part of a franking machine (as mentioned above), or alternatively they 
may take the form of a PC interface card or a secure device with an interface 
to a PC such as a smart card, for example. 

Batch Numbers begin at '0* and are incremented in steps of one. The 
Licence number is also known as the customer Account Reference. The data 
format identifier determines whether this data element describes the batch or 
the licence, is determined by the data format identifier. 

The Item Number data element is defined as a field of six numeric 
ASCII characters, and functions to identify an individual postal item within a 
batch of postal items. Item Numbers begin at '0' and increment in steps of 
one. 

The Data Format Identifier data element comprises one numeral, and 
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is used to identify the type of device or product printing the digital postage 
mark, i.e. whether the DPM has been produced by PC franking, by a franking 
machine or is a PPL 

The Item Data / Post Code data element is an application dependent 
alphanumeric data field. This field is preferably defined by the individual 
item's Post Code, and comprises up to nine ASCII characters, the first being 
an alpha, the rest being alphanumeric. The field must be padded with spaces 
to nine characters in the event that the post code or other data is less than nine 
characters. If the field contains a Post Code it may be divided into 3 fixed 
length sub-fields, Outward (four alphanumeric characters), Inward (three 
alphanumeric characters), DPS (two alphanumeric characters); and all sub- 
fields are left-justified space padded. 

The intention is that this field supports the security and efficiency of 
the postal system by improving address interpretation and reducing the 
potential for fraudulent indicia, for example. The preference is that this field 
contains the item's Post Code, which is a coded representation of the 
geographic delivery location within the United Kingdom. Space is provided 
for the outward, inward, and delivery point codes as defined above. If no Post 
Code is available then up to the first nine characters of the bottom line of the 
address may be used (the first must be an alpha), otherwise the field may be 
filled with all space characters. Depending upon the postal application, the 
field may contain other alphanumeric data which identifies the item or 
authenticates the DPM e.g. a serial number for the substrate on which the 
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DPM is printed. 

The Key Version data element is defined by two ASCII characters, 
and is used to identify a set of keys held within a given Postal Security 
Device. 

The Message Authentication Codes (MACs) and Digital Signature 
data elements are defined by two twenty bit strings, and a fourteen bit string. 
The MACs and digital signature are used to ensure the authentication and 
integrity of variable data contained within the message using symmetric 
encryption for the MACs, and an SHA-1 message digest function (as defined 
in FIPS180-1; Secure Hash Standard, FIPS Publication 180-1, National 
Institute of Standards and Technology, May 1993) for the digital signature. 
Two MACS are used, the main MAC for normal use, and a check MAC for 
confidence checking. The procedure for encrypting the MACs will later be 
described in association with the description relating to the encrypted, user 
readable, mark. 

The Service Code data element comprises four alphanumeric 
characters. In this field, 1CXX designates first class post service, and 2CXX 
designates second class post service. Other postal service classes may later be 
defined. 

The Postage Value data element is defined by a field of four numeric 
characters which together define the value of the service provided in UK 
currency (pence). This is also the postage value accounted for by the PSD 
when the DPM is generated. 
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The Date data element comprises a field of four numeric characters 
which define the month and day on which the DPM is generated in the format 
"mmdd". A user readable version of this data element is also printed in the 
DPM, as mentioned above. 

As mentioned above, Messages may be represented on mail items and 
other items by means of two dimensional symbols printed in accordance with 
the AIM Data Matrix Technical Specification defined in an AIM Internationa] 
Specification entitled International Symbology Specification - Data Matrix, 
published in 11/96 with editorial amendments dated 12/96 (VI. 01), and an 
erratum dated 23/7/97. 

This particular Data Matrix symbology supports a number of variants, 
of which a variant called ECC200 is one - and it is preferred that this variant 
of the symbology is used as it uses Reed-Solomon error correction. Any of 
the compaction modes and Macro Characters supported in the ECC200 
variant of the Data Matrix AIM specification may be used. Although, it is 
thought that in practice, only two encodation schemes are likely to be used; 
ASCII, at the start of the symbol, for encodation of some character data and 
for encodation of long numeric strings, and C40 encodation for data streams 
containing uppercase alphabetic and numeric characters. 

The minimum size for a cell of the data matrix in accordance with the 
preferred arrangement is in the range of 0.60mm for a 300 dpi printer (7 dots) 
to 0.63mm for a 200 dpi printer (5 dots). A higher cell size may be required 
depending upon the print resolution. The data matrix symbol is preferably 16 
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by 48 cells (72 alphanumeric characters) if facing identification marks (FIMS) 
are required on the mail. Otherwise, a square data matrix of 26 by 26 (64 
alphanumeric characters) shall be printed when no FIMS are required 

Whilst the above described AIM symbology supports Extended 
Channel Interpretation (ECI) it is not proposed to make use of this 
functionality in the preferred arrangement as there is likely to be little need to 
encode data from alphabets other than the Latin Alphabet. 

As mentioned above, it is possible to provide a number of data matrix 
symbols adjacent to one another. Preferably a maximum of two data matrix 
symbols are provided. In any case it is preferred that the Data Matrices 
include a Quiet Zone of twice "X" between the symbols and between the 
symbols and other printed data. The first symbol will contain the main 
franking indicium message while the second, to the left, may contain 
customer defined data. The Quiet Zone is needed to discriminate the symbol 
from surrounding printed data. The Data Matrix specification (mentioned 
above) requires this Quiet Zone to be at least "X" wide on all four sides of the 
symbol, but to improve readability on automated postal sorting equipment it is 
preferred that a quiet zone of a minimum of twice the "X" dimension is 
provided. The "X" dimension is defined as the intended width of the cells of 
the data matrix. 
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Encryption 

As mentioned above, the DPM includes an encrypted user readable 
mark which, whilst being readable by a user, is unintelligible until the mark 
has been decrypted. The DPM also includes, encoded with the Data Matrix, 
5 encrypted MACs and a digital signature. 

It will be appreciated by those persons skilled in the art that many 
different types of encryption exist, and that any of these different types of 
encryption can be substituted for the particular type of encryption that will 
now be described, without departing from the scope of the invention. 
10 A number of standards currently exist for data encryption, and 

reference may be made to the following standards in the forthcoming 
description where it is appropriate to do so: 

• [FIPS46] FIPS PUB 46, "Data Encryption Standard", NIST, 

January 1977. 

15 • [FIPS81] FIPS PUB 81, "DES Modes of Operation", NIST, 

December 1980. 

• [FIPS180-1] Secure Hash Standard, FIPS Publication 180-1, Nat 

Inst, of Standards and Technology, May 93. 

• [IS0421 7] Currency and Funds Code List. 

20 • [RFC1321] The MD5 Message-Digest Algorithm, R. Rivest, 

Request for Comments: 1321, April 1992. 

• [FIPS 46-3] FIPS PUB 46-3, "Data Encryption Standard", NIST, 
October 1999. 
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• [ANSI X9.52] Triple Data Encryption Algorithm modes of operation. 

As has been mentioned briefly above, before a customer is able to 
generate a postage mark they must first obtain postal credit from a recrediting 
centre (RC), and use this credit to charge their postal security device. 
Conveniently, obtaining credit from a recrediting centre and charging of PSDs 
can be accomplished on-line upon connection of the PSD to the RC. Once 
credit has been obtained the customer may then use their PSD (either as part 
of a PFM or a PC Franking system) to print digital postage marks onto 
envelopes or labels. 

For security purposes, each PSD contains a number of cryptographic 
keys, some of which are unique to that PSD. in the preferred arrangement, 
each PSD contains a Main Franking Key, a Check Franking Key and an 
Integrity Key. The Main Franking Key and Check Franking Key are 16-byte 
triple-DES keys and The Integrity Key is a single-DES key. The PSD ensures 
that these keys are kept secret, and each PSD has a unique Main Franking Key 
and Check Franking Key. 

Single-DES block encryption is defined in the above mentioned 
standard FIPS46, and encryption of data in accordance with this standard 
under a key, k, is generally notated by E DE s[A]0&/a). Similarly, decryption of 
data under key k in accordance with this standard is notated by DoEs[k](data). 
k and data each consist of eight bytes of information, each byte comprising 
eight bits with the most significant bit first. In this application it is assumed 
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that the values of parity bits of a key (as defined in FIPS46) are ignored by the 
E D es and Does functions. 

Triple-DES block encryption has two forms which are concatenations 
(notated as T) of 8 byte single-DES keys K,, K 2 and K 3 . The two forms of 
triple-DES encryption are a 16-byte key, K-K\ || K 2 , and a 24-byte key K = 
Ki || K 2 || K 3 . As will later be described, these keys are used for different 
purposes in the system. Each of the two forms of encryption consist of 
alternating DES encryption and decryption. 

The 16-byte Triple-DES form comprises the following functions: 
EroBsilKKdata) = Edes[*i]( Thm[K 2 ]( E DES [Ki](data) ) ) 
T>n>ES2[K\(data) = D DES [^i]( E D es[K 2 ]( D DES [A:,](<fata) ) ) 
The 24-byte Triple-DES form comprises the following functions: 
EjDEssIWa/a) = E D es[*i]( D DE s[A2]( E D es[^3](^) ) ) 
DjvEnlKKdata) - D D ^[K { ]( E DES [^ 2 ]( I>DEs[Ki](data) ) ) 
Encryption of multiple blocks is accomplished with a form of Cipher 
Block Chaining (CBC) as defined in the above mentioned FIPS81 standard. 
Using an encryption function in CBC mode reduces the possibility of attacks 
which generate valid messages by substituting encrypted blocks, and also 
forms the basis of a method for generating message authentication codes 
(MACs) (as will later be described). 

To use the encryption function in CBC mode a sequence of n blocks of 
plaintext: 
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is transformed to blocks of ciphertext 

C = C, || & || ...lie. 

where (using the notation for exclusive OR): 

C,.E T DES2[A](/ > l) 

Ch-i = ETDES2[^](Ci © TV,) for 1 < i < n 

This process is illustrated schematically in Figure 1 1 . 

It will be understood from the above, and from Figure 1 1, that C n is the 
notation for the value of the last enciphered block in a sequence, P, of n 8-- 
byte blocks. The notation Etdes2MAC is also used, and is defined as follows: 

Etdes2mac[K\(P) = C„ 

These keys are used to generate the aforementioned digital signature 
which is used to validate the DPM. For example, it is proposed that The 
Main Franking Key will be used as a normal check for use wherever DPMs 
are validated, and that The Check Franking Key will be used to determine 
whether or not a Main Franking Key has been compromised. It is proposed 
that The Integrity Key will be used to provide basic confidentiality of, for 
example, the device reference (e.g. the identification number of the PSD) and 
item number, and also to provide a basic integrity check. 

As is mentioned above, the Main Franking Key and Check Franking 
Key are unique to the PSD that holds them. The Integrity Key, is, in principle, 
common to all PSDs, but in practice it is likely that PSDs may be collected 
into sets and that each set will have a unique key. 

The Main Franking Key and Check Franking Key are derived for each 
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PSD from master keys, the Main Franking Master Key and Check Franking 
Master Key which are each 24-byte Triple-DES keys. The Main Franking 
Key and Check Franking Key are derived from these master keys. 

The main and check franking keys are derived from their master keys 
by means of a hash function, MD5, defined in the RFC1321 standard 
mentioned above. Hash functions in general take a variable length input and 
generate a normally smaller output. In this context, the hash function would 
be described as being "one way". In the present case, the hash function takes 
an input, data, of arbitrary length and generates, in a relatively 
computationally-inexpensive process, two 64 bit halves of a 128 bit data 
block, represented as 

MD5(</a/a) = Hashl || Hash2 

In the present system, as will later be described, the data on which the 
MD5 function operates is key data comprising a key version concatenated 
with a device reference (e.g. a PSD id). 

The main franking key, and check franking key are generated as 
follows: 

Main Franking Key = E TO ES3[Main Franking Master Key] (Hashl) || 

EjDES3[Main Franking Master Key] (Hash2) 
Check Franking Key = Etdes3 [Check Franking Master Key] (Hashl) || 

ETDES3[Check Franking Master Key] (Hash2) 
This process is illustrated schematically in Figure 12. 
The appropriate authorities must protect these master keys. The 
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authority holding the Check Franking Master Key in the preferred 
arrangement is separate from the authority holding the Main Franking Master 
Key. Master cryptographic keys are generated and, where necessary, 
distributed from the Key Distribution Centre (KDC). As mentioned above, 
PSDs are recredited by communicating with recrediting centres, which in the 
preferred arrangement are also responsible for distributing key updates to 
PSDs when necessary. 

As is mentioned above, the DPM includes a MAC (message 
authentication code) data element encoded in the data matrix. The MAC is 
also used in the generation of the user-readable encrypted mark. 

The MAC is constructed from other fields in the DPM, the Main 
Franking Key and the Check Franking Key and consists of two 20-bit fields: 
The Main MAC, and The Check MAC. An Integrity Hash is appended to the 
MAC data field and is used as a low level, revenue protection check on the 
indicia. 

The Integrity Hash is used to check on a DPMs integrity without risk 
of compromising the PSDs* Main Franking Keys or Check Franking Keys. 
The integrity protection, however, is not as strong as that provided by the 
MAC option. The Integrity hash is calculated using 

Integrity Hash = firstHbits (SHA-1 (Key Version || PSD Id || Item 
Data)) 

where "firstHbits" means the bits in the 14 most significant bit 
positions in the result. 
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Data elements used for constructing the Integrity Hash, Main MAC 
and Check MAC are shown schematically in Figure 13. 
As shown, in Figure 13, the Input Data consists of: 

Input Data = Key Data || Item Data 
The Key Data is used to identify the Main Franking Key and Check 
Franking Key, and consists of: 

Key Data - Key Versions || PSD Id 
where the PSD Id equals the device reference number concantenated 
with the device model number. 

The Item Data consists of: 

Item Data = Item Number || Date || Value || Service || Postcode 
and the length of the Item Data in the preferred arrangement is equal 
to 216 bits. If the length of elements within the Item Data changes, then 
padding data (Padl) is added to make the length of Item Data a multiple of 64 
bits. It will be apparent, therefore, that in the present example Padl is 40 bits, 
to take to length of the item data to 256 bits. 
The Main MAC comprises: 

Main MAC - first20bits (E TO ES2MAc[Main Franking Key] ( Item Data 
II Padl)) 

where "firstnbits" means the bits in the "n" most significant bit 
positions in the result. 

The Check MAC comprises: 

Check MAC = first20bits( EiDEsiMAcfCheck Franking Key] ( Item 
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Data||Padl)) 

The MAC generation process is summarised in Figure 14. 

As mentioned above, it is possible that the data matrix used to encode 
the information may fail to be read - for example because it has been badly 
printed. To account for this possibility, encrypted user readable text is printed 
in the DPM so that assurance can be given that the indicia is legitimate even 
though the data matrix cannot be decoded. 

The user readable text is encrypted using a derived integrity key, 
which changes on a daily basis, represented by: 

Derived Integrity Key = ETDES2[Integrity Key] (Date || Pad2) 

where Pad2 is padding comprising 4 bytes of binary zeros. 

Encrypted Data for the encrypted user readable mark is derived from 
the derived integrity key in accordance with the following function: 

Encrypted Data = EiDES2[Derived Integrity Key] ( PSD id || User 
Readable Item Number || account reference ) 

The output of this encrypted data function is then converted to a 16 
character hexadecimal number, where the first hexadecimal character 
represents the first 4 bits of the result, i.e. the first 4 most significant bit 
positions in the result. This hexadecimal number is then printed on the 
envelope as the aforementioned encrypted user readable mark. 

It can be seen from the above that the integrity of the information 
encoded within the data matrix can be preserved by appending the MACs 
and/or (preferably "and**) a digital signature derived from the above 
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mentioned keys to the information. As a further advantage of this 
arrangement, integrity can still be preserved by means of the encrypted mark, 
even if the data matrix should be unreadable. 

Post office facilities receiving postal items bearing DPMs can decode 
(or decrypt in the case of the encrypted user readable mark) the digital postage 
marks to reveal encrypted MACs and digital signatures, which can then be 
decrypted to allow the post office to validate the origin of the DPM. 

The DPM, as will now be described, can also be used as part of a 
sophisticated revenue protection process that enables the post office to detect 
attempted fraud. This particular invention is concerned with those persons 
who attempt to defraud the Post Office by using the same DPM on more than 
one postal item, or by using a DPM that has been generated by a PSD that has 
been allocated to another entity. 

To implement this system the Post Office allocates to each user, or 
group of users, a forensically detectable marker which will always be 
included in inking products supplied to those users for the printing of DPMs. 

For example, the marker may be included in ink that forms part of an 
ink cartridge for use in a postal franking machine or in a desktop printer in a 
PC franking system, or part of ink used to print PPIs. 

In the preferred embodiment, each entity authorised to generate DPMs 
will be assigned a unique marker. However, it is recognised that there may 
not be a sufficient number of markers available to implement this, and 
therefore as an alternative it may be acceptable to rely on individual marker 
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and entity identity (defined by the account reference, the batch number and 
the data format identifier) combinations being unique. In either case, the 
identity of a given entity and the marker assigned to that entity is stored in a 
database. 

Figure 15 is a schematic representation of an integrated mail processor 
150 which includes, in addition to the components of existing IMPs such as 
the one depicted in Figure 3 (which are referenced with the same numerals 
used in Figure 3), a DPM scanning station 152 and a revenue protection 
facility 154. 

As postal items pass the DPM scanning station 1 52 of the IMP 1 50 the 
digital postage mark is scanned by a marker detector which determines 
identifying characteristics of the marker included in the ink used to print that 
DPM. 

The scanning station also captures an image of the data matrix, and a 
logic device 156 connected to the scanning station decodes the data matrix of 
the DPM to reveal the various data elements mentioned above which are 
encoded therewithin. If an image of the data matrix cannot be retrieved then, 
in this particular arrangement, the postal item concerned is rejected from the 
IMP for manual processing (as described in Figures 1 to 3). Associated with 
the logic device 156 is a database 158 in which entity identities and associated 
assigned markers are stored. 

Once a given DPM has been scanned by the scanning station 158 and 
the DPM has been decoded, the logic device 156 retrieves the decoded 
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account reference, batch number and data format data elements. These data 
elements uniquely identify the entity that has placed the postal item in 
question in the postal system. 

Using the entity identity derived from the above mentioned data 
elements, the logic device retrieves the associated marker characteristics 
stored for that entity in the database 158, and compares the stored marker 
characteristics with marker characteristics that have been determined from the 
scan of the DPM by the marker detector. 

If the logic device 156 should determine that the detected marker 
characteristics match those stored in the database for the entity identified by 
the decoded account reference, batch number and data format data elements, 
then the DPM is determined to be valid and processing of the postal item 
associated with the DPM is allowed to continue. 

If the logic device should determine that the detected marker 
characteristics (which may be a null set of no marker characteristics) are 
different from those stored in the database for the identified entity, or if the 
identified entity should have no associated marker characteristics stored; then 
the DPM is determined to be potentially fraudulent, and the associated postal 
item is diverted to a store 160 for postal items with potentially fraudulent 
DPMs. Once in the store the DPM can be rechecked against the information 
stored in the database and further action can be taken if the information 
detected is found to be different from that stored. 

This revenue protection process is illustrated schematically as a flow 
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diagram in Figure 16. In a first stage 160 the scanning station 152 attempts to 
scan a DPM from a postal item and the marker detector attempts to detect 
marker characteristics. In the next stage 162 the logic device 156 determines 
whether or not the data matrix has been adequately scanned. If the data 
5 matrix is unreadable then the postal item in question is rejected in step 164 
from the IMP. 

If the data matrix can be read, the logic device 156 - in step 166 - 
decodes information relating to data elements encoded within the data matrix 
(in this case information identifying the sending entity). Next, in step 168, the 
1 0 logic device 1 56 retrieves stored marker characteristics from the database 1 58, 
and in a next step 169, compares the retrieved stored marker characteristics 
with the detected characteristics. 

Then, in step 170, the logic device determines whether or not the 
scanned information matches the stored information. If the logic device 
1 5 should detect a match in step 1 70, then DPM is determined to be valid and the 
item of post concerned is allowed to continue in step 172 to be processed. 

If the logic device should determine that the stored characteristics are 
different from those detected, or if there should be not stored characteristics 
for the identified entity, then the DPM is determined to be potentially 
20 fraudulent and the associated postal item is diverted from the IMP to a store 
for postal items where the item can be rechecked. 

It can be seen therefore that this arrangement provides the Post Office 
with an effective means to detect attempted fraud. 
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In the preferred arrangement this process is accomplished in real time, 
with the data matrix being decoded and the check against the database being 
made within a very short time of the data matrix being scanned. 

The teachings of this embodiment may also be employed to enable 
postal items of untrustworthy sending entities to be flagged as being 
"suspicious", whereupon they can be diverted for detailed checking. 

As an alternative to the arrangement described above, the user 
readable encrypted mark may contain information identifying the entity who 
has generated the DPM, and the mark may be decrypted (instead of or as well 
as the data matrix being decoded) to provide information identifying the entity 
who has generated the DPM. 

The marker may be any sort of forensically detectable marker. For 
example, the marker may be a radioactive marker, or alternatively it could be 
an optical marker arranged to fluoresce or phosphoresce at a particular 
wavelength. 

It will also be understood, and should be noted, that the particular 
embodiments described herein are provided only by way of example. Persons 
skilled in the art will no doubt be capable of devising modifications and 
alterations to the embodiments described which whilst being different to the 
modifications and alterations mentioned will nevertheless still be within the 
scope of the present invention as defined in the accompanying claims. 

For example, whilst in figure 15 the revenue protection facility and 
DPM scanner/detector are shown as being part of an IMP it will be apparent 
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that they could instead be provided in a stand-alone machine through which 
postal items are fed either before or after they are fed through the IMP. They 
could also be incorporated in any of a number of alternative machines or 
processes. For example, the scanner and or detector could comprise a hand 
scanner operated by persons working in a dedicated revenue protection 
facility or indeed in any one of the facilities shown in Figures 1 to 3. 

It will also be appreciated that whilst it is preferred that different 
markers are supplied to different entities, this need not be the case. A useful 
check could still be accomplished even if the same marker were to be 
distributed to the entities authorised to generate DPMs. In such 
circumstances, a DPM without a marker would be held to be invalid as it 
could have been produced, for example, by photocopying a previously 
generated DPM. It will be appreciated that in this alternative embodiment 
there is no need for entity identifying information to be extracted from the 
DPM. 

In addition, it should also be noted that whilst in the preferred 
arrangement it is determined whether the detected characteristics are identical 
to the stored characteristics, it may be sufficient to determine whether the 
detected characteristics are sufficiently similar to the stored characteristics to 
be acceptable. 
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Claims 

1. Apparatus for determining the validity of a postage mark, the 
apparatus comprising: 

detector means operable to detect a marker in a postage mark and to 
generate data representative of characteristics of said marker, and 

logic means operable to compare said generated characteristic data 
with stored characteristic data for said marker; 

wherein the logic means determines the postage mark to be valid if 
said generated characteristic data matches said stored characteristic data, or 
determines the postage mark to be invalid if said generated characteristic data 
does not match said stored characteristic data. 

2. Apparatus according to claim 1, wherein said postage mark comprises 
information identifying the entity by whom the mark has been generated. 

3. Apparatus according to Claim 2, wherein said entity identifying 
information is encoded within said mark. 

4. Apparatus according to claim 2, wherein said entity identifying 
information is encrypted within said mark. 
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5. Apparatus according to Claim 3, wherein said entity identifying 
information is encoded and encrypted within said mark. 

6. Apparatus according to any of claims 2 to 5, wherein: 

the detector is capable of detecting a plurality of markers with 
different marker characteristics, a said marker being assigned to an entity or 
group of entities, and 

the apparatus further comprises a database storing entity identifying 
information and assigned marker characteristics, the marker characteristics for 
a said entity or group of entities being different to those for other entities or 
groups of entities. 

7. Apparatus according to Claim 6, wherein: 

the detector means is operable to detect said entity identifying 
information, and 

the logic means is operable to determine the postage mark to be valid 
if the generated characteristic data matches the stored characteristic data for 
the entity or group of entities identified by said detected identifying 
information. 

8. Apparatus according to any preceding claim, wherein a match is 
determined to occur if said detected characteristic data resembles in at least 
one respect the stored characteristic data. 
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9. Apparatus according to any preceding claim, wherein a match is 
determined to occur if said detected characteristic data is identical to said 
stored characteristic data. 

10. Apparatus according to any preceding claim, wherein said marker 
comprises a forensic marker. 

11. Apparatus according to any preceding claim, wherein said marker is 
provided as a substance within ink used to print said postage mark. 

12. Apparatus according to claim 10 or 1 1, wherein said forensic marker 
is a radioactive substance. 

13. Apparatus according to claim 10 or 1 1, wherein said forensic marker 
comprises a substance which emits electromagnetic radiation when 
illuminated with electromagnetic radiation of a predetermined wavelength. 

14. Apparatus according to claim 13, wherein said substance fluoresces or 
phosphoresces when illuminated with said radiation. 

15. An integrated mail processor comprising apparatus according to any 
preceding claim. 
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16. Apparatus, or an integrated mail processor, substantially as 
hereinbefore described with reference to the accompanying drawings. 

17. An envelope comprising a postage mark that includes at least one 
detectable marker. 

18. An envelope according to claim 17, wherein the marker comprises a 
forensic marker. 

19. An envelope according to Claim 17 or 18, wherein said marker is 
provided as a substance within ink used to print said postage mark. 

20. An envelope according to claim 18 or 19, wherein said forensic 
marker is a radioactive substance. 

21. An envelope according to claim 18 or 19, wherein said forensic 
marker comprises a substance which emits electromagnetic radiation when 
illuminated with electromagnetic radiation of a predetermined wavelength. 

22. An envelope according to claim 21, wherein said substance fluoresces 
or phosphoresces when illuminated with said radiation. 



45 

23. An envelope substantially as hereinbefore described with reference to 
the accompanying drawings. 

24. A method for determining the validity of a postage mark, the method 
comprising the steps of: 

detecting a marker in a postage mark and generating data 
representative of characteristics of said marker; 

comparing said generated characteristic data with stored characteristic 
data for said marker; and 

determining the postage mark to be valid if said generated 
characteristic data matches said stored characteristic data, or invalid if said 
generated characteristic data does not match said stored characteristic data. 

25. Computer program product comprising one or more software portions 
which when executed in an execution environment are capable of performing 
one or more of the method steps of Claim 24. 

26. A method for determining the validity of a postage mark substantially 
as hereinbefore described. 

27. A method of generating a postage mark suitable for use in the method 
of Claim 24 or suitable for use with the apparatus of any of Claims 1 to 16, 
the method comprising the steps of generating a postage mark, and printing 
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that generated mark with ink which includes a marker. 

28. A method according to Claim 27 wherein said generating step includes 
the step of generating entity identifying information for printing in said 
postage mark. 
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